ISO 27001 Readiness
for B2B SaaS

Get certified in 90 days. Then keep it.

Why ISO 27001 is now a commercial requirement

Enterprise procurement checklists have changed. Security questionnaires that once asked about your password policy now include a line item for ISO 27001 certification — and leaving it blank costs you the deal.

Investors are increasingly asking for it during due diligence as well. A certification signals that your security posture is independently verified, not just claimed. For Series A and beyond, it removes a common blocker.

The NIS2 directive is also driving demand across Europe. Whether or not NIS2 applies to you directly, your customers' compliance obligations are pushing ISO 27001 down their supply chains — and that means you.

Without certification, you are losing deals you do not even know about. Procurement filters happen before the first sales call.

Key facts

  • Typical timeline without guidance:
    18 – 24 months
  • With Veratlas:
    90 days to audit-ready
  • Ongoing internal commitment:
    ~4 hours per month from your team
  • Certification body:
    Your choice — we prepare all the evidence

The pathway

Three steps to certified.

01

Assess

Security Assessment

A 2–3 week engagement that maps all 93 ISO 27001 controls against your current state. We identify gaps, prioritise remediation, and produce a clear roadmap so you know exactly what needs to happen before your audit.

€2,500 — credited in full to the Sprint if you proceed.

02

Build

90-Day Accelerator

We implement every required technical control and produce the full documentation set: ISMS policy, risk register, Statement of Applicability (SoA), and evidence pack v1. At the end of 90 days, you are ready to engage a certification body.

Fixed €28,000. No surprises.

03

Run

The Compliance Engine™

Maintaining ISO 27001 post-certification requires continuous evidence collection, a rolling policy review cycle, and audit support when your surveillance audits come around. The Compliance Engine handles all of it — quarterly compliance reports included.

From €120/user/month.

Deliverables

Everything your auditor needs.

ISMS — Fully Documented

Your Information Security Management System, built to clause 4–10 of ISO 27001:2022. Not a template — a living document system tailored to your organisation.

Risk Register with Treatments

Every identified risk recorded, assessed, and mapped to a treatment decision. Auditors want to see that you understand your risk landscape — this proves it.

Statement of Applicability (SoA)

All 93 Annex A controls addressed. Each control is marked as applicable or excluded, with a justified rationale. This is the document your auditor will scrutinise first.

Evidence Pack — Annex A Aligned

Organised, auditor-ready evidence for every implemented control. Screenshots, configuration exports, logs, and access review records — structured so your audit runs smoothly.

Policy Pack

Information Security Policy, Acceptable Use Policy, Disaster Recovery Plan, Business Continuity Plan, and Vendor Management Policy — all drafted and approved.

Internal Audit Support

We prepare you for Stage 1 and Stage 2 audits, conduct internal audit walkthroughs, and sit alongside your team during the certification body's review.

FAQ

Common questions.

With Veratlas, the technical implementation and documentation take 90 days. After that, you engage a certification body for a Stage 1 (document review) and Stage 2 (on-site or remote audit). Certification typically comes 3–6 months after we finish the Sprint, depending on the certification body's schedule. From kick-off to certificate: expect 6–9 months total.
Yes. We will advise on which accredited certification body (CB) fits your size, geography, and budget. We do not take referral fees — our recommendation is based entirely on what is right for you.
Approximately 4–6 hours per month during the Sprint, primarily for evidence reviews and policy approvals. We handle the implementation. You approve and sign off. After certification, ongoing commitment drops to around 2–4 hours per month.
It depends on your customer base. ISO 27001 is the European and international standard — if your buyers are in the EU, UK, or internationally, it is the right choice. SOC 2 is primarily recognised by US enterprise buyers. Some companies pursue both. Book a Fit Call and we will give you an honest recommendation based on your ICP.

Ready to get started?

Talk to us about your timeline, your customer base, and the deals you want to unlock. We will tell you exactly what the path looks like.

Book a Fit Call
or
Take the free Security Snapshot

2 minutes · Zero commitment · Instant security grade